Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN client and NAT

Hello I am having a major problem with Nat and the CIsoc vpn client 3.63 and a PIX 515 with version 6.14. WE have the clients terminating on the Pix but what is happenting is if the client is behind a firewall or nat network they can connect to the network but they can not acces any resources. This is extermely fustrating and I can not figure out why. Any help would be appreciated. IF they are not behind the Firewall or NAT device there are no problems.



Cisco Employee

Re: VPN client and NAT

This is caused by the fact that IPSec and NAT don't get along well. DEvices that NAT (or more specifically PAT) internal hosts to one external address keep track of the individual sessions by also changing the UDP or TCP source port to a specific number. IPSec however, sits right on top of IP, it is not a TCP/UDP protocol, and therefore has no port information. A lot of NAT/PAT devices and firewalls (including the PIX) will drop these packets cause they can't process them properly.

To get around this problem the VPN3000 client and concentrator have a feature called IPSec over UDP or TCP, where they encapsulate their IPSec packets in TCP/UDP packets, which a NAT device can then NAT properly. Unfortunately, the PIX doesn't support this feature.

A standard has recently been finalised called NAT-T, or NAT Transparency, where VPN end devices (both clients and termination points such as routers, concentrators and firewalls) will determine automatically during tunnel startup that there is a NAT device in between them and they'll encapsulate everything in UDP port 4500 packets. The VPN client supports this feature automatically from v3.6 onwards. The PIX supports it in v6.3 which is due out late this month/early April hopefully. This code is in open beta, so if you open a TAC case, ask nicely and promise to send us a report of how you go ( and you don't mind running beta code on your production PIX), all your problems will be solved :-)

CreatePlease login to create content